Threatpost | the First Stop for Security News

Threatpost | The first stop for security news

Categories Category List Cloud Security Critical Infrastructure Cryptography Government Category List Hacks Malware Mobile Security Privacy Category List SAS Vulnerabilities Web Security Authors Michael Mimoso Christopher Brook Additional Categories Slideshows The Kaspersky Lab News Service Featured Authors Michael Mimoso Christopher Brook The Kaspersky Lab News Service Featured Posts

All

Wireless ‘BlueBorne’ Attacks Target Billions of… Apache Foundation Refutes Involvement in Equifax…

Popular D-Link Router Riddled with Vulnerabilities

Many Questions, Few Answers For Equifax…

Equifax Says Breach Affects 143 Million…

New Dridex Phishing Campaign Delivers Fake… Podcasts Latest Podcasts

All

Threatpost News Wrap, September 1, 2017

Threatpost News Wrap, August 25, 2017

Threatpost News Wrap, August 18, 2017 Threatpost News Wrap, August 11, 2017

Threatpost News Wrap, August 4, 2017

Black Hat USA 2017 Preview Recommended

The Kaspersky Lab Security News Service Videos Latest Videos

All

Mark Dowd on Exploit Mitigation Development

iOS 10 Passcode Bypass Can Access…

BASHLITE Family Of Malware Infects 1…

How to Leak Data From Air-Gapped… Bruce Schneier on the Integration of…

Chris Valasek Talks Car Hacking, IoT,… Recommended

The Kaspersky Lab Security News Service

Twitter Facebook Google LinkedIn YouTube RSS

Welcome > Blog Home>Vulnerabilities > Zerodium Offering $1M for Tor Browser Zero Days  0   0  22   0 Zerodium Offering $1M for Tor Browser Zero Days by Chris Brook September 13, 2017 , 12:54 pm

The exploit acquisition vendor Zerodium is doubling down again.

Weeks after the company said it would pay $500,000 for zero days in private messaging apps such as Signal and WhatsApp, Zerodium said Wednesday it will pay twice that for a zero day in Tor Browser.

Microsoft Patches .NET Zero Day Vulnerability in September Update

September 12, 2017 , 3:59 pm Tor Project Brings Security Slider Feature to Android App Orfox

September 6, 2017 , 5:05 pm

Threatpost News Wrap, August 25, 2017

August 25, 2017 , 11:30 am

The company said it will pay up to $1 million for fully functional, unknown zero day exploits for Tor Browser on Tails Linux and Windows. Specifically, the company said it will pay $250,000 for combined remote code execution and local privilege escalation bugs that work on both Tails and Windows to root/system, or $200,000 for combined bugs in Tails or Windows. It will pay an abbreviated bounty for just RCE vulnerabilities, and vulnerabilities executed when JavaScript is allowed.

The company said that any exploits that require manipulating of Tor nodes, or exploits that would disrupt the network itself won’t be accepted. Submissions must include the full, unknown and previously unpublished, exploit, alongside a whitepaper explaining the techniques. Zerodium says an attack vector has to be a web page targeting the latest version of the browser, either in its default configuration where JavaScript is allowed to run with its security settings set to low, or in a hardened configuration where JavaScript is blocked.

Zerodium Follow @Zerodium

Announcement: We offer one million US dollars ($1,000,000) in bounties for Tor Browser #0day exploits. Details at: zerodium.com/tor.html 3:02 PM - Sep 13, 2017 13 275 217

Like it did when it announced the messaging app bounties, Zerodium says the Tor bounty is designed to help its government customers track criminals who use the anonymous browser.

When reached on Wednesday, a Tor Project spokesperson said the high payout was a good example of the security the browser provides. But, he also suggested participating in Zerodium’s bug bounty program could put Tor users’ lives at stake.

“We think the amount of the bounty is a testament to the security we provide. We think it’s in the best interest of all Tor users, including government agencies, for any vulnerabilities to be disclosed to us through our own bug bounty. Over 1.5 million people rely on Tor everyday to protect their privacy online, and for some it’s life or death. Participating in Zerodium’s program would put our most at-risk users’ lives at stake.” Zerodium, launched in 2015 by VUPEN cofounder Chaouki Bekrar, has made a name for itself by offering lofty payouts for high-risk zero-day exploits. Shortly after it was founded the company offered a million-dollar bounty centered on iOS 9. It then one upped itself by offering a $1.5 million bounty for information pertaining to an iOS 10 remote jailbreak around this time last year.

The company in August said that a spike in demands from its customers, democratic and non-sanctioned governments, combined with the small attack surface of private messaging apps, led to a change in bounty pricing. Zerodium said Wednesday the fact the Tor Browser is used in “many cases” by attackers to carry out drug trafficking and child abuse has helped contributed to demand for zero days.

When reached Wednesday, Bekrar said that previous Tor zero days, notably those used in 2013 and 2016, didn’t threaten the lives of any users.

“All known Tor Browsers exploits that have been used by Gov agencies in the past (2013 & 2016) didn’t threaten life of ANY legitimate user,”,” Bekrar said, Those exploits were all used against pedophiles & drug traffickers, and Tor Project should stop defending these people.”

Unlike the private messaging app bounty, which is ongoing, the company’s Tor Browser exploit bounty is limited. Zerodium said the Tor bounty is open until November 30 at 6 p.m., or until the payout reaches $1 million, but hat the company will still entertain exploits after the fact.

“As we’ve set the prices very high, we had to limit this in time,” Bekrar said, “After the deadline, we will still acquire such exploits as part of our usual program and prices.”

*This article was updated at 10 a.m. Sept 14 with comments from Chaouki Bekrar

About Chris Brook

"Distrust and caution are the parents of security" - Benjamin Franklin

View all posts by Chris Brook →  0   0  22   0 Categories: Vulnerabilities, Web Security

Leave A Comment

Your email address will not be published. Required fields are marked * Comment

You may use these HTML tags and attributes:

Name Email Post Comment I'm not a robot reCAPTCHA Privacy - Terms Notify me when new comments are added. Recommended Reads  0   0  16   0 September 12, 2017 , 3:59 pm Categories: Mobile Security, Vulnerabilities, Web Security Microsoft Patches .NET Zero Day Vulnerability in September Update by Tom Spring Microsoft fixes 25 critical vulnerabilities including one zero day under attack and one tied to the high-profile BlueBorne attack vector. Read more...  0   0  2   0 September 6, 2017 , 5:05 pm Categories: Mobile Security, Privacy Tor Project Brings Security Slider Feature to Android App Orfox by Chris Brook Tor Project developers recently bolstered Orfox, a Tor Browser for Android devices, to help privacy-conscious mobile browsers better customize their security. Read more...  0   0  0   0 August 25, 2017 , 11:30 am Categories: Cloud Security, Podcasts, Privacy, Vulnerabilities, Web Security Threatpost News Wrap, August 25, 2017 by Chris Brook The news of the week is discussed, including the AWS S3 leaks, Zerodium’s bounty on messaging app zero days, Ropemaker, and cobot vulnerabilities. Read more... Top Stories Microsoft Patches .NET Zero Day Vulnerability in September Update September 12, 2017 , 3:59 pm Complaint Alleges Hotspot Shield VPN Engages in Deceptive Trade Practices August 8, 2017 , 11:18 am Popular D-Link Router Riddled with Vulnerabilities September 11, 2017 , 2:09 pm Apache Foundation Refutes Involvement in Equifax Breach September 11, 2017 , 3:02 pm Military Contractor’s Vendor Leaks Resumes in Misconfigured AWS S3 September 5, 2017 , 12:16 pm Fraudulent Donations Lead to Disbanding of Hutchins Legal Defense Fund August 28, 2017 , 4:59 pm Siemens Fixes Session Hijacking Bug in LOGO!, Warns of Man-in-the-Middle Attacks August 30, 2017 , 1:11 pm Revamped Nukebot Malware Changes Targets, Adds Functions August 29, 2017 , 2:54 pm The Final Say From Kaspersky Blogs Sayan and Yenisei: Fun and frolics.... One of the most fascinating places along our Upper Yenisei adventure was where the Baliktik-Hem and Kizil-Hem rivers merge. It’s here where the ‘Yenisei’ is first mentioned on the ma... Read more… Connected Medicine and Its Diagnosis... Results that had been obtained during research that we discussed in a previous article called for a more detailed analysis of the security problem, but now from within medical institutions (with the c... Read more… How to avoid Android malware Android users have the largest selection of mobile apps, but that means they are also exposed to the most threats. Avoid mobile malware by following some basic security rules. Read more… Threatpost | The first stop for security news The Kaspersky Lab Security News Service CategoriesBlack Hat | Cloud Security | Critical Infrastructure | Cryptography | Featured | Government | Hacks | IoT | Malware | Mobile Security | Podcasts | Privacy | Security Analyst Summit | Slideshow | Uncategorized | Videos | Vulnerabilities | Web Security RSS Feeds Home About Us Contact Us Authors Michael Mimoso Tom Spring Christopher Brook Copyright © 2017 Threatpost | The first stop for security news | Terms of Service | Privacy